How can I download a file from a host I can only SSH to through another host?

by

I want to download files from my office computer to my laptop.

I can connect my office machine by SSH to the organization server and then SSH from the server to my office machine.

The only commands the organization server accepts are ssh, ssh1, and ssh2.

How can I download a file from my office (remote) machine through the server into my laptop (local) machine?

Contents hide
Answers:
Method 1
Method 2
Method 3
Method 4
Method 5
Method 6
Method 7
Via SCP -3:
Method 8

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

If you have a recent OpenSSH (8.0) locally, you can use the -J (jump) switch:

scp -J <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f580869087b59c9b8190879890919c948190">[email protected]</a> <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="463335233406322734212332">[email protected]</a>:/path

With older versions (but at least 7.3), you can use ProxyJump directive, either on command-line:

scp -o <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="570725382f2e1d223a276a22243225173e392332253a32333e362332">[email protected]</a> <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="611412041321150013060415">[email protected]</a>:/path

or in ssh_config file, as the answer by @Ángel shows.

There are other options like ProxyCommand or port forwarding, which you can use on even older versions of OpenSSH. These are covered in Does OpenSSH support multihop login?

Method 2

The previous answers mention how to use the ProxyJump directive (added in OpenSSH 7.3) to connect through an intermediate server (usually referred to as the bastion host), but mention it just as a command line argument.

Unless it is a machine you won’t be connecting in the future, the best thing is that you configure it on ~/.ssh/config.

I would put a file like:

Host office-machine
Hostname yochay-machine.internal.company.local
ProxyJump bastion-machine

Host bastion-machine
Hostname organization-server.company.com
...

If you are using an earlier version of OpenSSH which doesn’t support ProxyJump, you would replace it with the equivalent:

ProxyCommand ssh -W %h:%p bastion-machine

and if your local ssh version was a really ancient one that didn’t support -W: 

ssh bastion-machine nc %h %p

although this last one requires that the bastion machine has nc installed.

The beauty of ssh is that you can configure each destination on the file, and they will stack very nicely. Thus you end up working with office-machine as the hostname on all the tools (ssh, scp, sftp…) as they were direct connects, and they will figure out how to connect based in the ssh_config. You could also have wildcards like Host *.internal.company.local to make all hosts ending like that going through a specific bastion, and it will apply to all of them. Once configured correctly, the only difference between doing one hop connections or twenty would be the slower connection times.

Method 3

Sometimes we can just use the pipeline. That time is today.

ssh -A <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="bfcaccdacdffd7d0cccb8e">[email protected]</a> ssh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6a1f190f182a0205191e58">[email protected]</a> cat filename > filename

You can upload too

ssh -A <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4431372136042c2b373075">[email protected]</a> ssh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0277716770426a6d717630">[email protected]</a> cat \> filename < filename

Yeah there are other solutions involving proxying, etc. but knowing how to do this is useful.

Method 4

Use the ProxyJump configuration:

ProxyJump
Specifies one or more jump proxies as either [[email protected]]host[:port] or an ssh URI. Multiple proxies may be separated by comma characters and will be visited sequentially. Setting this option will cause ssh(1) to connect to the target host by first making a ssh(1) connection to the specified ProxyJump host and then establishing a TCP forwarding to the ultimate target from there. 

scp -o <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c898baa7b0b182bda5b8f5bdbbadba88a1a6bcadbaa5adaca1a9bcad">[email protected]</a> <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="384d4b5d4a784c594a5f5d4c">[email protected]</a>:/path

Method 5

There is an ancient protocol called ZMODEM: few programs support it these days, but when it works, it can be pretty convenient.

First check if your laptop’s terminal program supports ZMODEM. (For example, you can configure iTerm2 (on Mac) to support ZMODEM. An example script is available here.)

In your office machine, run: sudo apt install lrzsz

Now all you have to do is ssh to your office machine, and run sz (filename). The file will be downloaded via your terminal.

Method 6

Configuration under ssh of user: ~/.ssh/config

Host *
    UserKnownHostsFile=/dev/null
    StrictHostKeyChecking=no
    ServerAliveInterval 300
    ServerAliveCountMax 2
    ForwardAgent yes


Host jump server
    HostName server.company.org
    User root

Host jump1 server1
    HostName server1.dmz.company.org
    User root
    ProxyJump jump

Host jump2 server2
    HostName server.dmz2.company.org
    User root
    ProxyJump jump1

Host *.intranet.company.org
    User user
    ProxyJump jump2

You can copy now from intranet server directly over 3 jump server.

scp [email protected]:/home/user/ ./*

I preffer this because of no longer need to specify jump servers with scp

Method 7

Via SCP -3:

scp -3 <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2356504651126351464e4c574612">[email protected]</a>:/root/file1.txt <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d8adabbdaaea98aabdb5b7acbdea">[email protected]</a>:/root/file1.txt

Method 8

This is what worked for me:

scp -o 'ProxyJump <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5b2e283e291b32352f3e29363e3f323a2f3e">[email protected]</a>' <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="047177617644706576636170">[email protected]</a>:/fiepath .

The . at the end indicate target download path is the current folder


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x